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Tales from the Crypto 

A Look at Embedded Design Security 



The bad guys are out to steal your design, your code, your tools, your customers, 
and anything else that isn't nailed down. Forget about trust, every designer needs 
to pay more attention to verification. Fortunately, you can use some silicon to help 
you keep your secrets safe. 



t's interesting to contemplate how much of 
_a person's net worth devolves to a few 
kilobytes of account information scattered 
around the ether. I keep thinking someday 
we'll all wake up and sign onto our accounts 
as usual only to find every financial asset we 
thought we owned was zeroed overnight. Easy 
come, but even easier to go, when all it takes 
is a "security lapse" — a noxymown (i.e., two 
words that should go together) — and a few 
milliseconds to steal your bits. 




Photo 1— The JAMrl Crypto-Authentication starter kit makes it easy to put 
the. '1025 and '10H5 through their paces, -unless you get an attack of the 
dropsies. The fumble-fingered need not apply. 



Identity theft is a big deal, even for embed- 
ded apps. Consider the ongoing brouhaha over 
counterfeit consumables like laptop batteries 
and inkjet printer cartridges. 111 There are argu- 
ments on both sides of the issue, but no argu- 
ment the stakes are high. 

If breaking into silicon can happen at the 
speed of light, the solution is more silicon 
that can stop the nefarious bit busters in their 
tracks. Let's take a look at some new silicon 
security guards from Atmel that you can 

deploy to harden your design 
against attack. 



WHO GOES THERE? 

J asked him if he thought 
Detroit would win the World 
Series. He said no, but they put 
up a bloody good fight. We , 
pulled them out of the Jeep 
because the World Series had 
been between the Cardinals and 
Browns. m — Robert Giavilin, 
"The 3 AD in the Battle of the 
Bulge" 

A fundamental challenge for 
any security regime is know- 
ing who you're talking to, and 
that's exactly the capability 
Atmel's new "Crypto-Authen- 
tication" chips bring to the 
party. In the case of the 1 
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AT88SA102S, the protection comes at 
a remarkably small price. Not only is 
the per-chip cost low at just $0.72 (in 
quantities of 100), but as you can see 
(barely) in Photo 1, board space for 
these tiny three-pin padlocks isn't an 
issue (although finding one you drop 
on the floor is). Running on anything 
from 2.5 to 5 V, the T02S does con- 
sume a healthy 10 mA during the 
time it takes to actively vet creden- 
tials. However, average power con- 
sumption will be much less, presum- 
ing the chip can spend most of its 
time off-duty sleeping at just 100 nA. 
Indeed, in many applications (such as 
the aforementioned batteries and 
inkjet cartridges), authentication may 
take place just once during initial 
installation. 

The essence of authentication is 
that the host confirms that a would-be 
client knows a shared secret as in a 
typical password arrangement. You 
could configure a '102S to work that 
way and be done with it. With a 
whopping 256-bit "password," 
attempting to break-in by trying every 
combination will be slow going 
indeed. It's all the more true when you 
realize a brute-force attack is limited 
by '102S throughput to maybe 10 tri- 
als per second. 

Hmm, with more than 10 77 possible 
combinations, it will take more than 
10 76 seconds to try them all, which is 
a real long time, about a zillion years 
(OK, 10 68 ) plus or minus. But remem- 
ber, chances are the crooks won't have 
to try every combination before stum- 
bling on the right one. OK, so on aver- 
age, it will only take half a zillion 
years. Do you feel lucky, punk? Well, 
do 'ya? 

You'd think the evildoers would be 
better off stealing lottery tickets. 
However, there's an all too obvious 
weakness with a simple password 
scheme — namely, that the password 
can be overheard and replayed by an 
eavesdropper or "man in the middle." 
The spy-versus-spy solution calls for 
an elaborate scheme by which the 
spymaster (i.e., host) confirms that a 
to-be-vetted agent (i.e., client) knows 
a secret without requiring the agent 
to actually divulge the secret (in 
which case it might be overheard). If a 



password is never passed, it can't be 
stolen. 

Here's how it works with a '102S. 
The host issues a 256-bit "challenge" 
to the '102S. In turn, the '102S uses 
that number along with information 
hidden on-chip (e.g., a 256-bit "key," 
48-bit unique chip ID, 64 bits of user- . 
programmed "secret" fuses) as inputs 
to a "Secure Hashing Algorithm" 
(SHA-256)J 3 1 The 256-bit result of the 
SHA-256 calculation (called the 
"digest") is returned to the host in 
response to the challenge. Meanwhile, 
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Figure 1— You can get by connecting a 
'1025 with Just two wires by tapping power 
from the signal line, Since the pull-up resis- 
tor (the '1025 output is open drain) and 
bypass capacitor are required in any case, all 
it takes is the addition of a 5chottky diode. 
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the host — knowing both the chal- 
lenge it issued and the secret infor- 
mation that should be in an authen- 
tic client — can compare the expected 
result to that received from the 
'102S. If the digests match, the client 
is authenticated without the secret 
information ever passing hands. 

Hashing is fundamentally a compres- 
sion scheme that encodes a big — and 
possibly variable in length — chunk of 
data in a small piece of fixed length 
data. It's a concept that's fundamen- 
tal to many aspects of computing. 
For instance, virtual memory and 
caching both rely on hashing to 
translate memory addresses from big 
spaces into smaller ones. A file sys- 
tem can use hashing to map, for 
example, an arbitrary customer name 
and address to a unique record num- 
ber on disk. Heck, even the lowly 
CRC and checksum are examples of 
hashing functions that distill a pack- 
et down to a byte or two. 

Security apps call for hashing func- 
tions with particular features to 
stymie would-be crackers. For 
instance, the chances that two differ- 
ent inputs to the hashing function 
will produce the same output (called 



a "collision") must be minimized. 
The output of the hashing function 
should change in a seemingly random 
way, even for minor changes (i.e., a 
bit at a time) of the input. Oh yeah, it 
helps if the calculations involved 
don't require a supercomputer. 
. Far be it from me to weigh in on 
cryptographic nuances and controver- 
sies. I'll let Atmel speak for them- 
selves when they say: "The NSA and 
universities involved in cryptograph- 
ic research all agree that a brute 
force attack on SHA-256 is essential- 
ly impossible." 14 ' At the same time, 
the algorithm (mainly a bunch of 
shifting and Boolean logic) is quite . 
manageable (time and space) for even 
an 8-bit MCU. 

Sounds good, but the scheme is 
still subject to eavesdropping if the 
challenge is always the same. How- 
ever, by taking advantage of the user- 
programmed fuses (i.e., secrets) and 
unique chip ID, the jeopardy can be 
limited to a single host-client pair- 
ing. Eavesdropping on a '102S that 
works with a particular host won't 
help the bad guy break into another 
host that expects a '102S with a dif- 
ferent chip ID or fuse secrets. 



A more robust solution calls for 
the host to vary the challenge similar 
to the way your car door lock remote 
control uses a "rolling code," Now a 
transient eavesdropper is up a creek 
because the challenge changes each 
time and capturing a single chal- 
lenge-and-response transaction does 
little good. 

The simplest option has the host 
store a number of precomputed chal- 
lenge and response pairings at 64 
bytes per pair. The more the pairings, 
the longer it will take an eavesdrop- 
per to capture them all. A better 
solution — although it's one that 
requires the host to perform the 
SHA-256 calculation — factors a ran- 
dom number into the challenge, 
keeping in mind the usual caveats 
(i.e., how truly random your random 
number generator is). 

It's clear a T02S can harden a design 
against brute-force and eavesdropping 
attacks, but what about an inside job? 
A possible weak link in the aforemen- 
tioned scheme is that it depends on 
the security of the shared secrets 
stored in the host, secrets which may 
be stolen (e.g., source code), reverse- 
engineered (e.g., execution trace), or 
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Figure 2— The RF04C is a passive RFID tag with a difference— namely, EEPROM to store your secrets and bulletproof security to keep them 
safe. - t 
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Command Name 


Description 


Abort 


Exit command in progress 


Clear 


Exit command in progress, clear buffer, turn RF OFF 


Poll Continuous 


Poll continuously for Type B PICCs 


Poll Single 


Poll once for Type B PICCs 


Read Buffer 


Read data buffer 


Read Register 


Read configuration register 


RF OFF 


Turn off 13.56 MHz RF field 


RF ON 


Turn on 13.56 MHz RF field 


Sleep 


Activate standby mode 


TX Data 


Transmit data to PICC and receive the response 


Write Buffer 


Write data buffer 


Write Register 


Write configuration register 



Table 1— I know little about RFID protocols and standards. And thanks to the 
intelligence embedded In the AT88RF1354 reader-on-a-chip, I never will. It hides 
the gory details— managing the radio, packet-handling collision resolution and so 
on— behind a simple serial interface and concise menu of high-level commands. 



inadvertently exposed (e.g., software bug). 

To that end, Atmel offers the AT88SA10HS, which is 
quite similar to — and designed to work in tandem with — the 
'102S. In this configuration, the host issues a challenge to 
both chips and delivers the response digest calculated by the 
'102S to the '10HS. In turn, the '10HS decides whether the . 
'102S response is authentic and simply gives the host a 
yes/no result. Note that none of the secret information or 
results of any calculations are ever known (or knowable) by 
the host and thus can't be leaked. 

That leaves a direct attack on the Atmel silicon — truly 
black-hat stuff — as the last resort. For obvious reasons, the 
documentation doesn't go into a lot of detail, but mention 
is made of a variety of physical protection mechanisms. 
These include chip shielding, tamper and pin-attack detec- 
tion, internal clock dithering, and secrets dispersed across 
the die, not just sitting in a ROM. 



to turn the bus around and 



issuing comma 
avoid collisions. 

Some applications might require the simul- 
taneous authentication of multiple clients. 
The good news is that multiple T02S chips 
can ride on a single SIGNAL line. The bad 
news is that the protocol is a little goofy as it 
requires you to issue a command to each chip 
you don't want to talk to (telling it you don't 
want to talk to it) before you can talk to the 
chip you want to talk to. 

Absent a pin for a clock, signaling is natural- 
ly asynchronous. The bit timing is a little 
bizarre in that it's asymmetric (i.e., 39 (is from 
the host to the T02S versus 60 |is in the other 
direction). I was figuring some bizarre bit- 
banging software would be required, but it 
turns out you can fake it with a standard 
UART running at 230.4 kbps. (Each byte trans- 
ferred by the UART accomplishes a single bit transfer on 
the SIGNAL line.) 

Chips without a RESET pin always make me nervous. 
It's almost inevitable that a hardware or software glitch 
will lead to a dead-end or loss of control that requires a 
power cycle. The '102S addresses the problem in two 
ways. First there's an I/O timeout that puts the chip to 
sleep if I/O gets out of sync. That way the chip won't get 
hung up waiting indefinitely for bits the host isn't send- 
ing. Similarly, a glitch on the SIGNAL line could wake up 
a sleeping T02S. Not knowing the T02S woke up, the host 
wouldn't know it needs to issue (or reissue) a SLEEP com- 
mand. To solve this dilemma, the T02S has a watchdog 
timer that puts the chip to sleep a few seconds after it 
wakes up, no matter what (i.e., even if it is in the middle 
of executing a command or I/O). This strategy— which is, 



LESS IS MORE 

Needless to say, with just three pins 
(VCC, VSS, and SIGNAL), the hard- 
ware interface is easy. In fact, you can 
get by with just two pins using the old 
trick of tapping the I/O line to power 
the chip (see Figure 1). Atmel's appli- 
cation note titled "Crypto- Authentica- 
tion" describes the details, such as 
how to size the capacitor and pull-up 
resistor considering the power supply 
(i.e. worst-case SIGNAL pin duty 
cycle) and demand (chip is awake, 
sleeping, calculating, performing I/O, 
etc.).' 4 ! 

Having less pins to deal with may 
make the hardware easy, but it does 
require more work from your software 
driver. The single SIGNAL pin has to 
serve half-duplex duty in both direc- 
tions, so the driver is responsible for 
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Figure 3— The RF04C features mutual (i.e., two-way) authentication in which both the host 
and client verify each other's Identity and the integrity of messages is protected in both 
directions. 
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Photo 2— The JAVAfl software exercises Crypto- 
Authentication chip features and also demos some 
example applications. Going beyond a password or 
"your mother's maiden name," the chips could be 
used to verify that a person on the other end of a 
phone call or e-mail truly holds the key. 



"if in doubt, sleep" — is all well and 
good, but it means your driver code 
has to be cognizant of timing less it 
run afoul of the automatic failsafes. 

It's all a bit cumbersome, but 
maybe that's appropriate. The bad 
guys will have to deal with this too. 
Why make it easier? 

On the other hand, Atmel does just 
that with the JAVAN EV kit ($99.95, 
quantity of one) that connects to 
your PC via USB. Thankfully, 
the board includes some cute 
little sockets, one for a 
"Client" (e.g., '102S) and one 
for a "Host" (e.g., 'lOHS). 
Otherwise, I'm just not sure 
how you would homebrew a 
programming and prototyping 
lash-up for these laughably 
tiny chips. 

Better yet/the JAVAN kit 
comes with some handy PC 
utility software to access, 
program, and demo the chips 
(see Photo 2). Debugging 
security hardware and soft- 
ware can be tough because 
it's just that — secure. There's 
really no way to test that 
you've set up and pro- 
grammed the Atmel chips 
correctly after the fact, other 
than trying them out. If 
you're having problems, is it 
your chip setup or hardware 



interface or driver software 
that's to blame? Or maybe 
it's all of the above? Having a 
stable and proven platform 
like JAVAN to start with real- 
ly helps reduce hassles and 
head-scratching as you craft 
your own design. 



TRICKY TAG TEAM 

The Crypto-Authentication 
chips aren't Atmel's first 
foray into security. Earlier 
offerings included a line of 
CryptoMemory chips that I 
covered back in 2007 ("Sili- 
con Secrets," Circuit Cellar 
205). You'll recall the Cryp- 
toMemory chips combine 
security features (e.g., keys, 
passwords, authentication, 
and encryption) and defenses 
against attack (e.g., password/authen- 
tication attempt counters, tamper 
detection, silicon shielding, and 
secret obfuscation) with 4 to 64 Kb 
of EEPROM. 

Now Atmel offers "CryptoRF" parts 
that extend the CryptoMemory con- 
cept with the addition of RFID capa- 
bility. Consider the AT88RF04C 
($0.95, quantity 100), which combines 
a 4-Kb CryptoMemory and a standard 




Photo 3— The BAMBOO CryptoRF starter kit comes with an 
U5B plug-in AT88RF1354-based RF reader and quiver of 
RF04C CryptoRF tags. 



(ISO/IEC 14443 Type B) 13.56-MHz 
RFID interface (see Figure 2). I'm not 
an expert in the RFID field, but it 
appears this "13.56-MHz Type B" is a 
very widely used standard, which 
means the 'RF04C should be compat- 
ible with a lot of different readers. 
Or, for that matter, it's easy to 
design your own since Atmel is also 
introducing the AT88RF1354, virtu- 
ally a complete reader on a chip 
($1.59, quantity 100). You can put 
the pair through their paces with the 
"Bamboo" CryptoRF evaluation kit 
for just $99.95 (see Photo 3). 

The 'RF04C is a so-called "pas- 
sive" tag. That means it's completely 
powered from the RF field generated 
by the reader, so the tag itself doesn't 
need a battery and will keep working 
indefinitely. And despite their fragile 
appearance, the tags are robust 
enough to use across the industrial 
temperature range of -40° to 85° C, 
the only caveat being EEPROM data 
retention is derated at higher temper- 
atures (e.g., 10 years at 55°C versus 
30 years at 35°C). Write endurance is 
100,000, cycles which seems more 
than adequate, even for long-life 
applications. 

Combining "passive" power via RF 
with EEPROM poses unique chal- 
lenges. Foremost among 
them is the fact that power 
may disappear at any time, 
possibly during writes to the 
EEPROM, which is a real no- 
no. To protect the integrity of 
EEPROM, the 'RF04C incor- 
porates a unique two-stage 
"anti-tearing" write cycle. 
When enabled, EEPROM 
write data is first sent to a 
temporary EEPROM buffer 
and then, after that Write 
completes successfully, on to 
the main array. If power fails 
during the first (buffer) write, 
the main array data remains 
unaffected. If power fails dur- 
ing the second (main array) 
write, the chip tries again 
(i.e., writes the main array 
from the buffer) at the next 
power-up. 

RFID is trickier than its 
lowly bar code and prdce-tag 
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Photo 4— The BAMBOO kit software does two useful things. First, it lets you see what's hap- 
pening on the radio link, a must for debugging any wireless app. Second, it lets you get 
under the hood of the CryptoMemory chip and twiddle bits (EEPROM, passwords, configura- 
tion, fuses, etc.) to your heart's content. 



roots might imply. Notably, there's 
the issue of "collision" to deal with. 
That is, what happens when multiple 
tags are simultaneously within the 
reader's range? 

The ISO standard incorporates an 
anti-collision protocol to sort things 
out. The tag and reader both support a 
user-programmable "Application Fam- 
ily Identifier," which would presum- 
ably allow the reader to selectively 
poll amongst a group of tags. If you 
refer to the 'RF04C tag block diagram, 
you'll notice how the box labeled 
"Anticollision" utilizes the on-chip 
random number generator. Presum- 
ably, the random number provides the 
basis for tags to schedule around and 
otherwise resolve collisions. 

Fortunately, there's no need to grap- 
ple with such low-level machinations 
since the 'RF1354 reader IC handles 
all the gory details behind the scenes. 
All you need to deal with is a simple 
hardware interface (SPI or TWI) and 
command set (see Table 1). Power up 
the reader in the presence of multiple 
tags and it will automatically sort 
through them to connect to just one 
(see Photo 4). 

Speaking of powering up, do 
remember that delivering the juice to 
power the tag from the reader via RF 
is a nifty concept, but it isn't real effi- 
cient. During tag interrogation, the 
'RF1354 can burn more than 1 W, 
which is plenty for such a small part. 



To avoid overheating that might 
occur, most likely when using the 
"Poll Continuous" command, the sur- 
face-mount package incorporates a 
thermal pad on the bottom that 
should be soldered to thermal vias 
that dissipate the heat from the chip 
around your PCB. 

Any time the subject of RFID and 
"smart tags" comes up, folks worry 
crooks will be sniffing RF for secrets 
and Big Brother will be tracking their 
every move. That's not likely with 
'RF04C security features that include 



64-bit mutual authentication and 
encryption (see Figure 3), zone-by- 
zone keys and passwords, and access 
attempt counters. There's also the 
practical matter that the range for 
these "near-field" (i.e., inductive] tags 
is just 15 mm (less than an inch), 
although Atmel also offers a larger 
"smart card" tag that's good for up to 
10 cm (a few inches). In any case, if a 
crook wants to try to eavesdrop or 
smooth talk an 'RF04C, they're going 
to have to either get real up close and 
personal or homebrew their own high- 
power reader. 

WHAT WILL YOU DO? 

As if credit card fraud, identity 
theft, stolen e-mail, and the like 
weren't enough, I imagine it's only a 
matter of time before embedded apps 
come under increased security scruti- 
ny. Take a close look at your own 
application. How much do you stand 
to lose if someone steals the family 
jewels, or worse, sabotages operation 
in such a way that someone gets 
hurt? At less than a buck, Atmel's 
security add-ons provide an easy and 
inexpensive way to armor existing 
applications without going through 
the hoops of a ground-up redesign. 

Trust me (and only me) when I say 
it seems like a small price to pay for 
peace of mind. SI 



Tom Cantrell has been working on chip, board, and systems design and marketing for 
several years. You may reach him by e-mail at tom.cantrell@clrcuitcellar.com. 
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